Some of the hacking methods employed by TAO are already known. Their most successful ploy is the Quantum Injection method, which uses an NSA-controlled shadow internet to operate a sophisticated man-in-the-middle attack on targets. But a new Spiegel report published recently fills in some of the gaps around Quantum and other capabilities available to TAO.
As with traditional cybercriminals, a successful intrusion relies on a combination of accurate intelligence and sophisticated tools. The intelligence can come from many sources, but Spiegel describes a new method. Once a target has been specified, the NSA can 'listen' for any error reports generated by the target's computer (Windows is apparently a favorite) and sent back to the manufacturer. This is described as 'passive access'; but it can provide the information necessary for subsequent 'active access.'
"This passive access to error messages," writes Spiegel, "provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer." It goes on to note that in one leaked document, the NSA author includes a graphic that replaces the standard Microsoft message with, "This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine."
The exploits used against the target appear to come from a separate group named ANT – "which presumably stands for Advanced or Access Network Technology," suggests Spiegel. ANT seems to maintain a catalog of both hardware and software surveillance tools available to TAO, complete with prices.
"The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on," notes Spiegel. This ensures that it remains hidden from anti-virus defenses, and persistent through both reboots and reformats – similar, in fact, to the elusive so-called BadBIOS infection affecting security researcher Dragos Ruiu.
One method that is used for implanting surveillance technology is to intercept new computers purchased over the internet. TAO "even intercepts shipping deliveries to plant back doors in electronics ordered by those it is targeting," writes Spiegel.
Hardware options available to TAO from the ANT catalog range from an inexpensive rigged monitor cable, costing just $30, "that allows 'TAO personnel to see what is displayed on the targeted monitor,'" to "an 'active GSM base station' – a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones" costing $40,000, writes Spiegel. "Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million."
But Quantum remains the most successful deployment. Before it was developed, the NSA relied on traditional spam attacks to infect their targets – but spam is ineffective against security-minded targets. Now, "Certain QUANTUM missions have a success rate of as high as 80%, where spam is less than 1%," one internal NSA presentation states.
Another document lists Quantum's targeted providers. "NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses," it states. Spiegel adds, "The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA."
The TAO cycle is textbook criminology: select target, gather intelligence (for example, by monitoring error reports), exploit (for example, via Quantum injection or intercepted shipments), and infect (with malware tailor-made for Tailored Access Operations by ANT).